Bug bounties are in the news again. Twitter has announced its own program, while Robert Graham of Errata Security has argued that legal actions brought for loss of personal data will more than likely succeed against any company if the service provider does not have a bounty program. He reasons this is so because in the absence of a bug bounty program, it would appear that a breached company did not do all it could to prevent the intrusion.
Graham’s point of view implies that bug bounties are an effective security process. Twitter’s bounties suggest they need not be expensive. But are these true? I spoke to Ilia Kolochenko, CEO and founder of High-Tech Bridge, a firm that specializes in penetration testing and vulnerability discovery.
“Bug bounties,” he said, “can be an extremely effective tool if they are implemented and operated correctly. The problem, however, is that this is difficult to do and rarely achieved, and they can actually do more harm than good.”
The main problem is that once a bounty program is in place, hackers consider it a green light to attack the system. Those who attack are frequently hackers who have very limited experience with professional security testing–actors who can actually damage the system they are probing. “Checking for XSS is harmless and even without a bounty program I would say perfectly legal if the investigation is used to notify the vendor,” said Kolochenko. “But in checking for something more dangerous, like SQLi flaws, if the researcher is not skilled enough, he could unintentionally delete something or make something unusable by incompetent testing. I am not even speaking about automated tools and scanners that can seriously harm live systems if used blindly. The problem is that quite often crowds of young hackers use a dozen vulnerability scanners simultaneously to fuzz the victim. They bet on the quantity rather than quality of security checks.”
In many jurisdictions, SQLi probing could be considered illegal. The presence of a bounty program, however, removes this restriction even for low-calibre hackers. High-level researchers, added Kolochenko, don’t usually care about bug bounties. “Competent researchers are not usually the people who regularly submit bugs to collect the bounties, simply because that is not their motivation. They may do it from time to time for glory or mainly for fun/challenge, but that’s definitely not their core business/hobby.”
But if we have a situation where the existence of a bounty scheme has intrinsic dangers, this is often exacerbated by the bounty itself. Consider the starting point for Twitter’s program: $140. “It’s almost an insult,” said Kolochenko. “Personally I don’t know any professional security researcher who would be interested in digging into Twitter systems for $140 – in fact I don’t know anyone who would systematically do it for $1400 – Twitter is not a small self-written CMS. Its audit requires serious experience, qualification and plenty of time. And time is money. Obviously, people [who submit vulnerabilities to Twitter these days] may be motivated by glory and challenge, but such motivation usually disappears quite quickly.”
In fact, Twitter isn’t even the worst culprit. Hackerone Inc coordinates numerous bounty schemes for many companies; and a quick glance through its Public Programs page shows a large number of very small bounties. While OpenSSL offers a minimum bounty of $2500 and Sandbox Escape offers $5000, Yahoo offers a pitiful $50. Even this, however, is an improvement. You may recall that almost exactly a year ago Kolochenko found and reported four XSS on Yahoo. His reward was a $12.50 discount voucher to be spent in the Yahoo Store – in other words, a tee-shirt with Yahoo’s logo. The public outcry was so great that Yahoo rapidly evolved a new scheme, which it said at the time would start at $150. It seems to have had second thoughts and dropped this to just $50.
Is the solution simply to offer greater rewards in order to attract more serious researchers? Partly, says Kolochenko – but another issue is the way the schemes are implemented. “The problem is companies think that bug bounties are simply something they can announce and that will be enough.” Management often thinks it’s a good idea that can be handled by IT without any further resources (other than the bounty itself).
This is not the case, says Kolochenko –efficient bug bounty actually requires a dedicated team to handle it effectively. It’s those unexperienced beginners and enthusiasts again. “They’re not always very good at explaining the vulnerability, often just submitting a screen-shot or a raw HTTP request as the only explication and/or proof. The company then has to spend hours trying to work out what they’re trying to say – is it a vulnerability, a weakness, a feature; a false-positive; a third-party software vulnerability; etc.”
An under-resourced bounty team can easily become overloaded and not reply. The danger here, suggests Kolochenko, is that the researcher is easily offended. “OK, if you’re not interested in what we’ve discovered, we’ll swap our white hat for a grey/black hat and talk to someone else who may well pay us more.” So once again, a poorly implemented bounty scheme might end up causing more harm than it prevents. Moreover, one should not forget that a bug-bounty, even properly implemented, can never replace professional information security services and solutions, but just complete them.
Does this mean, then, that bug bounty schemes should be abandoned?
“Not at all,” said Kolochenko. “A well-resourced and implemented bug bounty scheme can be very useful. But it should be considered as part of the company’s overall security posture and planned, implemented and resourced as such.” It is not something that can just be announced and expected to work, but something that offers sufficient rewards (not only financial ones) to attract top-grade researchers. For example, a job offer for the top researcher of the year would be a great motivator for many talented people from developing countries, as well as great benefit to the corporate security. Companies should also clearly understand and keep in mind that bug bounty requires quite serious financial investment, and a team to handle all the submissions. With all of this in place, says Kolochenko, the bug bounty scheme becomes an additional, very useful security layer for the service provider.
About High-Tech Bridge
Headquartered in Geneva, Switzerland, High-Tech Bridge provides customers in Europe, the United States, the Middle East and across the globe with information security services such as penetration testing, security auditing, computer crime investigation and web application security testing.
In 2012, analyst firm Frost & Sullivan recognised High-Tech Bridge as one of the market leading service providers in the ethical hacking industry. High-Tech Bridge also received the prestigious Online Trust Alliance Honor Roll award in 2012, 2013 and 2014.